b'   Oversight Review        October 9, 2008\n\n\nQuality Control Review of Naval Audit Service\'s\n        Special Access Program Audits\n\n          Report No. D-2009-6-001\n\x0c       Additional Copies\n\n       To obtain additional copies of the final report, visit the Web site of the Department\n       of Defense Inspector General at www.dodig.mil/audit/reports or contact the Office\n       of the Assistant Inspector General for Audit Policy and Oversight at (703)\n       604-8760 or fax (703) 604-9808.\n\n       Suggestions for Future Reviews\n\n       To suggest ideas for or to request future reviews, contact the Office of the Assistant\n       Inspector General for Audit Policy and Oversight at (703) 604-8760\n       (DSN 664-8760) or fax (703) 604-9808. Ideas and requests can also be mailed to:\n\n                                          OAIG-APO\n                            Department of Defense Inspector General\n                              400 Army Navy Drive (Room 1017)\n                                  Arlington, VA 22202-4704\n\n       Defense Hotline\n\n       To report fraud, waste, or abuse, contact the Defense Hotline by calling\n       (800) 424-9098; by sending an electronic message to Hotline@dodig.mil; or by\n       writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900. The\n       identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\nAAA                    Army Audit Agency\nGAS                    Government Auditing Standards\nIG                     Inspector General\nNAS                    Naval Audit Service\nPCIE                   President\xe2\x80\x99s Council on Integrity and Efficiency\nSAP                    Special Access Programs\n\x0c                                    nj;:\'~AUTA&~="I"l\'   OF OEF:EN~~!=\n                                     400 ARMY NAVY DRIVE\n                                            VIRGINIA "<:!,,02--47(}4\n\n\n\n\nMEMORANDUM FOR AUDITOR GENERAL, DEPARTMENT OF THE NAVY\n\nSUBJECT: Quality Control Review of Naval Audit Service\'s Special               Cl.."\'\'\'\'~~);:\'   Program\n         Audits (Report No. D-2009-6-00 1)\n\n       We are providing this report for your information and use.              reviewed the\n       Audit Service\'s (NAS)                  of quality control over Special        Programs\n       audits for the two               ended September 30, 2007. The Government Auditing\n                    "\'"1\'.UL\'"J that an audit                performing audits and/or att(~stalt10n\nem~ag;elTlents in accordance with              should have an appropriate internal quality control\n                       ~ .. ~.~.,..,~ an         peer         at      once                   by\n                                 the\n\x0cAppendix A. Comments, Observations, and\n            Recommendations\nWe are issuing an unmodified opinion because we determined that the NAS quality control\nsystem is adequately designed and functioning as prescribed. The concerns we identified with\nthe findings, conclusions, or recommendations during our review of the selected NAS audit\nreports were not cumulatively significant enough to indicate that material deficiencies existed in\nthe NAS quality control system for complying with GAS. Because of the timeframe of the audit\nreports in our review, we measured the audits for compliance with the 2003 revision of the GAS\nand the July 2006 NAS Audit Handbook. We identified issues that are still applicable even\nwhen we apply the updated 2007 revision of GAS and the May 2008 NAS Audit Handbook.\n\nAlthough the concerns we identified did not affect our overall opinion, there were areas where\nNAS could improve the quality control process. We originally judgmentally selected three audit\nreports issued during a two year time period ending September 30, 2007; however, we were only\nable to review two of the audit reports because of additional security requirements for one of the\nreports in the original sample. We tested the reports for compliance with GAS and NAS audit\npolicies in nine areas to include independence, professional judgment, competence, audit\nplanning, supervision, evidence and audit documentation, reporting, non-audit services, and\nquality control. We identified minor discrepancies in three of the nine areas in our review in\napplying NAS audit policy relating to:\n\n   \xe2\x80\xa2   audit planning,\n\n   \xe2\x80\xa2   evidence and documentation, and\n\n   \xe2\x80\xa2   quality control.\n\nAudit Planning. GAS 7.41 (2003 Revision) states that a written audit plan should be prepared\nfor each audit. The form and content of the written audit plan will vary among audits but should\ninclude an audit program or project plan, a memorandum, or other appropriate documentation of\nkey decisions about the audit objectives, scope, and methodology and of the auditors\xe2\x80\x99 basis for\nthose decisions. It should be updated as necessary, to reflect any significant changes to the plan\nmade during the audit. In addition, GAS 7.42 states that documenting the audit plan is an\nopportunity for the auditors to supervise audit planning.\n\nNAS Audit Handbook (July 2006, Section 406) requires that a survey plan/program will be\ndeveloped early in the audit to gather the information that will, in turn, comprise the content of\nthe formal survey debrief. NAS Audit Handbook (July 2006, Section 415, paragraph 2) requires\nthat the responsible Associate Director must approve the audit program before the start of the\naudit verification phase.\n\n\n\n\n                                                2\n\x0cWe found that NAS did not adequately plan for one of the two audits in our review. One audit in\nthe review was an audit assist, and an audit plan had not been prepared. The audit files for this\nreport also did not include documentation to indicate why an audit plan had not been prepared.\nFor another audit in our review, a survey program had been prepared, but we could not determine\nthe date that the survey program had been prepared. The steps for the survey were included as\npart of the audit program. While there were no dates to indicate when the auditors prepared the\nsurvey program, there was documentation in the files to show that survey steps were completed,\nand the auditors presented their results of the survey phase in a ninety day survey debrief to NAS\nmanagement.\n\n        Recommendation: We recommend that the Auditor General of the Navy issue a\nmemorandum to remind all SAP audit personnel of the importance of complying with\nestablished guidance for preparing survey and audit programs early in the audit.\n\n        Management Comments. The Auditor General concurred with the recommendation and\nstated that an e-mail will be sent to the audit staff to remind them of the importance of complying\nwith the established guidance for preparing survey and audit programs early in the audit.\n\n       Reviewer Response. Management comments are responsive.\n\nEvidence and Documentation. GAS 7.66 (2003 Revision) states that auditors should prepare\nand maintain audit documentation. GAS 7.66 also states that audit documentation should\ncontain support for findings, conclusions, and recommendations before auditors issue their\nreport.\n\nNAS Audit Handbook (July 2006, Section 501) reiterates the GAS by stating that auditors should\nprepare and maintain audit documentation, and the audit documentation should contain support\nfor findings, conclusions, and recommendations before auditors issue their report.\n\nWe judgmentally selected ten facts and/or figures from the working papers for one of the audit\nreports in our review. We found that all of the ten facts and/or figures were supported and\nincluded working paper elements such as purpose, source, scope, and conclusion as required in\nthe NAS Audit Handbook. For the other audit report in our review, we judgmentally selected\nfifteen facts and/or figures in the audit report. We reviewed the supporting working papers for\nevidence and documentation and supervisory reviews. We found that one of the figures had not\nbeen properly updated in the working paper after the independent reference review. While the\nauditor did not properly update the working paper to reflect the change, the updated figure was\ncorrected in the audit report. Though the information was not properly documented, it did not\nhave a significant impact on the results or the conclusions presented in the report.\n\nIn addition, we were unable to locate a working paper in the audit files that supported at least\ntwo facts/figures in the audit report. The facts relating to the working paper did not have a\nsignificant impact because they did not affect the results and conclusions addressed in the report.\n\n\n\n\n                                                 3\n\x0c        Recommendation: We recommend that the Auditor General of the Navy issue a\nmemorandum to remind all SAP audit personnel of the importance of complying with\nestablished guidelines for documenting evidence to include maintaining information in the audit\nfiles and updating audit work included in the audit reports.\n\n        Management Comments. The Auditor General concurred with the recommendation and\nstated that an email will be sent to the audit staff to remind them of the importance of complying\nwith established guidelines for documenting evidence to include maintaining information in the\naudit files and updating audit work included in the audit reports.\n\n       Reviewer Response. Management comments are responsive.\n\nQuality Control. GAS 3.49 (2003 Revision) requires that each audit organization performing\naudits and/or attestation engagements in accordance with GAS should have an appropriate\ninternal quality control system in place. Also, GAS 3.51 states that each audit organization\nshould prepare appropriate documentation for its system of quality control to demonstrate\ncompliance with its policies and procedures.\n\nNAS Audit Handbook (July 2006, Section 857) states that editors perform a mandatory check to\nensure that draft reports conform to the reporting standards for content and style. The editor\nprovides copies of a completed guide sheet to the applicable Program Manager, Associate\nDirector, and Assistant Auditor General who are responsible for making the appropriate\ncorrections. The Program Manager and/or Associate Director should ensure the completed guide\nsheets are included in the audit files.\n\nThe NAS used quality control procedures such as supervisory initials and dates on working\npapers, and independent reference reviews for draft and final audit reports. One of the audits in\nour review was an audit assist which used a letter report format. The audit files did not contain a\nchecklist identifying the editor\xe2\x80\x99s review. The NAS had not developed an editor\xe2\x80\x99s guide sheet for\nletter reports. The AAA recommended in their FY 2008 peer review of the NAS non-SAP audits\nfor the NAS to develop an editor\xe2\x80\x99s guide sheet for letter reports. The NAS management\ncommented that they would develop an editor\xe2\x80\x99s guide sheet for letter reports, attestation reports,\nand opinion reports. In response to the AAA recommendation, the NAS editor\xe2\x80\x99s have developed\na draft of the editor\xe2\x80\x99s guide sheet for letter reports. They are currently in the process of refining\nthe draft guide sheet for use by editors for letter reports, attestation reports, and opinion reports.\n\n\n\n\n                                                  4\n\x0cAppendix B. Scope and Methodology\nWe limited our review to the adequacy of NAS SAP audits\xe2\x80\x99 compliance with quality policies,\nprocedures, and standards. We originally judgmentally selected three SAP audits from a\nuniverse of formal reports issued by NAS SAP auditors during FY 2006 and FY 2007, but\nlimited our review to two audits because of additional security requirements for access to the\nthird report. We tested each audit for compliance with the NAS system of quality control. The\nAAA conducted a review of the NAS internal quality control system for non-SAP audits and/or\nattestation engagements and has issued a separate report. The Acting Assistant Inspector\nGeneral for Audit Policy and Oversight will issue an overall opinion report on the NAS internal\nquality control system that will include the combined results of the SAP and non-SAP audit\nreviews.\n\nIn performing our review, we considered the requirements of quality control standards and other\nauditing standards contained in the 2003 Revision of the GAS issued by the Comptroller General\nof the United States. GAS 3.52 states:\n\n       The external peer review should determine whether, during the period under review, the reviewed audit\n       organization\xe2\x80\x99s internal quality control system was adequate and whether quality control policies and\n       procedures were being complied with to provide the audit organization with reasonable assurance of\n       conforming with applicable professional standards. Audit organizations should take remedial, corrective\n       actions based on the results of the peer review.\n\nWe conducted this review in accordance with standards and guidelines established in the April\n2005 President\xe2\x80\x99s Council on Integrity and Efficiency (PCIE) \xe2\x80\x9cGuide for Conducting External\nPeer Reviews of the Audit Operations of Offices of Inspector General.\xe2\x80\x9d We used a modified\nguide to ensure consistency with the AAA review of non-SAP audits, and to reflect the unique\nnature of auditing within a SAP environment. We reviewed audit documentation, interviewed\nNAS auditors, and reviewed NAS internal audit policies. We reviewed the DoD OIG\nReport No. D-2005-6-010, \xe2\x80\x9cQuality Control Review of the Naval Audit Service\xe2\x80\x99s\nSpecial Access Program Audits\xe2\x80\x9d dated September 2, 2005, and the AAA\xe2\x80\x99s Letter of Comments\non the Fiscal Year 2008 External Quality Control Peer Review of the Naval Audit Service,\nReport: A-2008-0115- PMZ dated June 12, 2008. We performed this review from\nJuly to September 2008 at one NAS field office.\n\nWe used the following criteria to select the audits under review:\n\n   \xe2\x80\xa2   Worked backward starting with the FY 2007 audits in order to review the most current\n       quality assurance procedures in place.\n\n   \xe2\x80\xa2   Avoided audits with multiple SAPs associated with the audits for ease of access.\n\n   \xe2\x80\xa2   Avoided audits that have the same or similar titles, to ensure review of multiple types of\n       projects.\n\n\n\n                                                      5\n\x0cThe following table identifies the specific reports reviewed.\n\n   Report Number                   Date                               Title\n\nN-2006-0046                September 21, 2006         National Security Agency Military\n                                                      Interdepartmental Purchase Request\nN-2007-0049                  January 30, 2007         Intelligence Related Contracts (IRC)\n\n\nLimitations of Review. Our review would not necessarily disclose all weaknesses in the system\nof quality control or all instances of noncompliance with it because we based our review on\nselective tests. There are inherent limitations in considering the potential effectiveness of any\nquality control system. In performing most control procedures, departures can result from\nmisunderstanding of instructions, mistakes of judgment, carelessness, or other human factors.\nProjecting any evaluation of a quality control system into the future is subject to the risk that one\nor more procedures may become inadequate because conditions may change or the degree of\ncompliance with procedures may deteriorate.\n\n\n\n\n                                                  6\n\x0cAppendix C. Naval Audit Service Comments\n\n\n\n\n                     7\n\x0c8\n\x0c\x0c'